CN105991278B - A kind of ciphertext access control method based on CP-ABE - Google Patents

A kind of ciphertext access control method based on CP-ABE Download PDF

Info

Publication number
CN105991278B
CN105991278B CN201610540456.6A CN201610540456A CN105991278B CN 105991278 B CN105991278 B CN 105991278B CN 201610540456 A CN201610540456 A CN 201610540456A CN 105991278 B CN105991278 B CN 105991278B
Authority
CN
China
Prior art keywords
user
key
attribute
document
abe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610540456.6A
Other languages
Chinese (zh)
Other versions
CN105991278A (en
Inventor
周彦萍
黎彤亮
赵环宇
马艳东
慕晓蕾
万仲飞
辛凤艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute Of Applied Mathematics Hebei Academy Of Sciences
Original Assignee
Institute Of Applied Mathematics Hebei Academy Of Sciences
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute Of Applied Mathematics Hebei Academy Of Sciences filed Critical Institute Of Applied Mathematics Hebei Academy Of Sciences
Priority to CN201610540456.6A priority Critical patent/CN105991278B/en
Publication of CN105991278A publication Critical patent/CN105991278A/en
Application granted granted Critical
Publication of CN105991278B publication Critical patent/CN105991278B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of ciphertext access control method based on CP-ABE, belong to information security field, it includes the following steps: 1, is prepared and maintenance work comprising initialization, user's registration and the audit of the encryption attribute system (CP-ABE) of Ciphertext policy, generation system and user the asymmetric key pair for signing and encrypting, generate user CP-ABE attribute key SK and key and Attribute certificate management;2, document sharing needs document provider, extensible access control markup language (XACML) access control system and shared user three to cooperate.For the present invention using the Attribute certificate in PMI system as the statement voucher of CP-ABE attribute set and access structure, XACML expresses CP-ABE strategy, ensure that the safety of attribute set and the description of access control structure.The characteristics such as present invention introduces the hierarchical structures for having inheritance, and support is distributed, can authorize, can derive support attribute authority ability that should abide by restrict, suitable for the network application environment for being distributed and opening.

Description

A kind of ciphertext access control method based on CP-ABE
Technical field
The present invention relates to ciphertext access control (decryption capabilities for encrypting and controlling user) technologies, and in particular to Yi Zhongji In the ciphertext access control method of CP-ABE, belong to information security field.
Background technique
With making rapid progress for information technology and network technical development, Distributed Application has obtained more and more extensive answer With but for the sensitive data in application, it is necessary to by ciphertext access control (decryption capabilities for encrypting and controlling user) come Realize that the safety of information is shared.Traditional encryption system such as PKI(Public Key Infrastructure, public base are set Apply) and Identity-based encryption system IBE encryption, be widely used in Distributed Application.Conventional cryptography system is first The user that must first enumerate in shared group simultaneously obtains its public key, and must generate ciphertext using its public key for each user, add Close number is exactly the number of users in shared group.Then, after shared user receives ciphertext, each personal private key, which is decrypted, to be shared The plaintext of information.But in some distributed network applications, due to widely distributed, the information sharing of system geographically Group may be throughout the country or even global;Individual amount in either shared group can be extremely huge, is not only difficult to enumerate, It is also possible to damage privacy of user;Or the member in shared group is made of some individuals for meeting certain specified conditions, It cannot enumerate at all.And not only security requirement is high for the demand of information sharing, efficiency also has high requirements.In face of this situation, Conventional cryptography system is helpless, is not able to satisfy the demand for security of information sharing.
CP-ABE algorithm can formulate flexible access strategy and be more suitable for the ciphertext access control under distributed environment, Specifically whose decryption be not required to know when encryption side's encryption information, and decryption side need to only meet corresponding conditions and can decrypt.Both at home and abroad Many scholars study CP-ABE algorithm, and L.Cheung et al. expresses tree proposition by providing the access control of fixed size One CP-ABE scheme, realizes the and door access structure acted on positive attribute and negative attribute, and ability to express is changed It is kind.B. the CP-ABE scheme that Waters is proposed is approved safe under a master pattern, and the description of control structure is to pass through It is awarded using LSSS (Linear Secret Sharing Scheme, linear Secret Sharing Scheme) to determine which subset belongs to The set which attribute is power gather is not sets of authorizations, and the CP-ABE scheme is no matter on expressive faculty or on security proving There is very big contribution.Shanghai Communications University's trusted digital technology laboratory Cao Zhenfu, Dong Xiaolei seminar design in 2008 One new efficient CP-ABE scheme for solving the sharing problem of encryption data realizes encryption at first in the world The research and development of data sharing mobile device and relative program.
The research contents of scholars is concentrated mainly on the sides such as stronger ability to express, the security model proof of agreement and efficiency Face, although obtaining the specific implementation model that many achievements are combined with practical application, there are also many problems demands to study, packet Include how the flexible attribute set of design safety describes mode, how to construct access control structure easy to maintain, how to enhance visit It asks the ability to express of control structure, and how to design a complete, detailed authorization embodiment, only resolve these and ask Topic could obtain the more practical application scenes of CP-ABE.
Summary of the invention
Technical problem to be solved by the invention is to provide a kind of attribute sets and access control structure description safety can The ciphertext access control method based on CP-ABE leaned on.
The technical solution adopted in the present invention includes the following steps:
Step 1, preparation and maintenance work comprising:
1. completing the initialization of the encryption attribute system CP-ABE based on Ciphertext policy, generation system common parameter PK and master Key MK;
2. generating the IBE asymmetric key pair of system authorization management person as system asymmetric key pair, a pair is for being System encryption, for signing, two pairs of keys are stored in the specialized security device USB key of system authorization management person a pair;
3. completing user's registration;
4. auditing user's registration information;
5. generating the IBE asymmetric key pair of user, a pair is for encrypting, and for signing, two pairs of keys store a pair In the specialized security device USB key of user;
6. storage, update and the management of system and user's PKI and IBE key pair;
7. generating user property certificate AC, it is stored in light directory access protocol certificate repository;
8. obtaining user property set S by user property certificate AC, generate the user's according to S and system master key MK CP-ABE attribute key SK, SK=KeyGen(MK, S), SK is stored in the specialized security device USB key of user;
9. being stored and being managed to Attribute certificate, the Attribute certificate includes two parts, Attribute certificate AC and its extension That is attribute descriptor certificate ADC;
Step 2, document sharing need document provider, XACML access control system and shared user three to cooperate, Specific works are as follows:
1) work step of shared document supplier is as follows:
1-1, document provider formulate the condition i.e. access structure that shared user should meet, and are formed XML document, use It is stored in after the IBE private key signature of document provider, system public key encryption in its attribute descriptor certificate ADC under one's name;
1-2, document provider formulate environment and policy constraints condition, form XACML policy file, and also with its IBE private Key signature, system public key encryption;
1-3, using Hybrid Encryption mechanism, using the access structure in document provider's attribute descriptor certificate ADC to text The session key Key of shelves carries out CP-ABE encryption, is encrypted with Key to document content, forms encrypted message packet;
1-4, document provider give encrypted message packet to the preparation of XACML access control system and are transferred to shared user;
2) work step of XACML access control system is as follows:
2-1, user propose the sharing request of certain document to Policy Enforcement Point PEP;
2-2, the Policy Enforcement Point PEP respond user's request, determine document id to be sharing and User ID;
2-3, Policy Enforcement Point PEP require user to submit relevant certification assessment information comprising network condition at that time, The environmental informations such as computer system software operating condition, hardware operating condition, the parameter etc. of computer capital equipment;
2-4, user collect assessment information, are sent to the Policy Enforcement Point PEP;
2-5, the Policy Enforcement Point PEP according to user provide access request (including User ID, shared document ID and Sharing mode etc.) and related evaluation information formed XACML format judgement request message, issue policy decision point PDP and commented Estimate and decision;
2-6, the policy decision point PDP receive the request message that Policy Enforcement Point PEP is sent, and parse to message, It obtains all kinds of certifications such as User ID, shared document ID, sharing mode, ambient conditions and assesses information;
2-7, policy decision point PDP request strategy information point PIP return to attribute related with main body, resource or environment Value;
The strategy of 2-8, policy decision point PDP to tactical management point PAP request shared document ID;
2-9, tactical management point PAP obtain the ID of document provider according to shared document ID, and then from LDAP certificate repository The attribute descriptor certificate ADC of document provider is obtained, and the XACML policy file for thus obtaining document provider's formulation is close The strategy ciphertext is transmitted to PDP by text, PAP;
2-10, policy decision point PDP are to the signature of the strategy file cryptogram validation document provider got, if passing through It is decrypted with system private key, obtains strategy file, and go to step 2-11.Otherwise PDP judgement terminates, and provides strategy file signature verification The evaluation result not passed through, and go to step 2-12;
Whether the ambient conditions that 2-11, policy decision point PDP determine that user submits according to XACML policy file can satisfy The environmental condition that document provider formulates, if it also can satisfy policy constraints condition, if there is any one to be unsatisfactory for, PDP It will be judged to denied access;If two all meet, allow to access;
The result of decision is informed Policy Enforcement Point PEP by 2-12, the policy decision point PDP;
The policy decision point PDP result of decision that 2-13, the Policy Enforcement Point PEP are received is if allowing to access, then XACML access control system transmits the document encrypted packet to user, and user obtains the encrypted message packet, can carry out CP-ABE solution Close, otherwise XACML access control system refuses the encrypted message packet that shared document is transmitted to user.
3) work step for sharing user is as follows:
3-1, shared user receive the encrypted message packet transmitted by XACML access control system;
3-2, shared user obtain signature SIG by encrypted message packet, obtain the IBE public signature key of document provider;
Otherwise 3-3, shared user are terminated with the IBE public signature key verifying signature SIG of document provider by rear continuation;
3-4, shared user obtain ciphertext CK by packet, using CP-ABE encryption system, with oneself USB of shared user Attribute key SK in key equipment decrypts ciphertext CK, obtains session key Key, i.e. Key=Decrypt(PK, CK, SK), only There is authorized user, i.e., the attribute of shared user meets the condition i.e. access structure of document provider's formulation, can just be decrypted correctly;
3-5, E (F) is obtained by packet, is decrypted with E (F) of the Key to acquisition, obtains the bright of the shared document to be accessed Text.
Further, in the step 2, in the work of shared document supplier, document provider's attribute description is utilized The method that access structure in symbol certificate ADC encrypts document CP-ABE is as follows:
1-3-1, session key Key is generated;
1-3-2, it is encrypted, is formed ciphertext E (F) with content of the session key Key to electronic document M to be sharing;
1-3-3, it is signed with the IBE signature private key of document provider to E (F), forms signature SIG;
1-3-4, the ADC for obtaining document provider, therefrom obtain the XML file ciphertext of access structure;
1-3-5, the signature of the XML file cryptogram validation document provider got is obtained with the decryption of system private key XML file;
1-3-6, access structure T is generated according to XML file;
1-3-7, using CP-ABE system, session key Key is encrypted, result CK, i.e. CK=Encrypt(PK, Key, T);
1-3-8, encrypted message packet, i.e. CK+E (F)+SIG are generated.
Further, in the step 1, Attribute certificate AC is managed, is that issuing for Attribute certificate AC is divided into letter Appoint the center source point SOA, the center attribute authority (aa) mechanism AA and the agent point AA three-level.
Further, the attribute descriptor certificate ADC of the Attribute certificate AC and record access strategy is by the center SOA, AA Center or AA agency issue, and are stored in server end LDAP certificate repository.
Further, the Attribute certificate AC and attribute descriptor certificate ADC follow X.509v4 standard, and use ANS.1 coded format describes.
Further, each function of trusting the center source point SOA, the center attribute authority (aa) mechanism AA and the agent point AA It is completed by corresponding system manager, the system manager is owned by two pairs of IBE key pairs and is used to sign and encrypt, private key In the presence of in personal USB Key digital device, in public key presence server.
Further, it when Attribute certificate AC is provided at the center SOA or the center AA, is carried out using the private key of corresponding management person Signature.
Further, in the step 1, being managed to Attribute certificate AC further includes accepting, encode, sign and issue and revoking, The Attribute certificate AC's accepts, generates, encodes, signs and issues and revokes by authorized administrator and sign and issue administrator and be responsible for.
Further, in the step 2-3, the Policy Enforcement Point PEP requires user to submit relevant certification assessment letter Breath, the certification assessment information include network condition, computer system software operating condition, hardware operating condition, computer at that time The parameter of capital equipment.
Further, in the step 2-4, access request of the Policy Enforcement Point PEP according to user's offer comprising User ID, shared document ID and sharing mode.
Beneficial effects of the present invention are as follows:
This method is based on empowerment management infrastructure (Privilege Management Infrastructure, PMI) With extensible access control markup language (eXtensible Access Control Markup Language, XACML) CP-ABE access control embodiment, this method is using the Attribute certificate in PMI system as CP-ABE attribute set and access The statement voucher of structure, XACML express CP-ABE strategy, ensure that the safety of attribute set and the description of access control structure. The characteristics such as present invention introduces the hierarchical structures for having inheritance, and support is distributed, can authorize, can derive, support attribute authority Ability should abide by restrict, suitable for the network application environment for being distributed and opening.
Detailed description of the invention
Fig. 1 is the data flow model figure of XACML access control model in this method.
Fig. 2 is the work flow diagram of Hybrid Encryption in embodiment.
Fig. 3 is the work flow diagram of shared document supplier in this method.
Fig. 4 is the encryption flow figure of CP-ABE in this method.
Fig. 5 is the work flow diagram of XACML access control system in this method.
Fig. 6 is that user is shared in this method to the work flow diagram of CP-ABE encrypted message packet.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below with reference to Fig. 1-Fig. 6 and specific embodiment pair Invention carries out clear, complete description.
The present embodiment classifies to shared resource, those cannot be set with the resource of independent electronic document sharing, such as hardware Real time information inquiry that is standby, not forming query result file etc., the access authority of user is all recorded in its Attribute certificate AC, is visited Ask control using technologies such as PMI mechanism, Role-based access control model and XACML access controls;And those can be with only Those of the shared resource of vertical electrical file form, the impact-share for being similar to broadcast is realized using CP-ABE mechanism.Therefore, we In XACML access control model, for data flow model as shown in Figure 1, increasing CP-ABE strategy, these strategies only include access When the running environment condition and policy constraints condition that are required to meet, they are stored in a manner of XACML policy file, strategic decision-making Point PDP only need to be assessed and be adjudicated to this, and assessment passes through, and user can receive processed using Hybrid Encryption mechanism Encrypted message packet, CP-ABE encryption and session key encryption combine, as shown in Fig. 2, being stored in the user in Attribute certificate AC Attribute could smoothly decrypt the ciphertext received after meeting the access structure in attribute descriptor certificate ADC.In order to guarantee CP- The XML file and XACML policy file of description access structure are protected in the safety of ABE access structure and strategy, invention, benefit With the IBE public key encryption of the IBE private key signature of publisher, system, guarantee its non repudiation and be not tampered, guarantees in transmission It is not stolen.
The present embodiment is made of server end and client two parts.Server end mainly undertakes information management, strategy Formulation, data calculate and the functions such as data processing, and provides api interface for client.For the sake of security by specific system Administrator completes.Client is the operation interface of user.
The present embodiment specifically uses following steps to realize:
Step 1, server do homework comprising:
1. completing the initialization of the encryption attribute system CP-ABE based on Ciphertext policy, generation system common parameter PK and master Key MK;
2. generating the IBE asymmetric key pair of system authorization management person as system asymmetric key pair, a pair is for being System encryption, for signing, two pairs of keys are stored in the specialized security device USB key of system authorization management person a pair;
3. completing user's registration;
4. auditing user's registration information;
5. generating the IBE asymmetric key pair of user, a pair is for encrypting, and for signing, two pairs of keys are stored in a pair In the specialized security device USB key of user;
6. storage, update and the management of system and user's PKI and IBE key pair;
7. generating user property certificate AC, it is stored in light directory access protocol certificate repository;
8. obtaining user property set S by user property certificate AC, generate the user's according to S and system master key MK CP-ABE attribute key SK, SK=KeyGen(MK, S), SK is stored in the specialized security device USB key of user;
9. being stored and being managed to Attribute certificate, the Attribute certificate includes two parts, Attribute certificate AC and its extension That is attribute descriptor certificate ADC;
Step 2, document sharing need document provider, XACML access control system and shared user three to cooperate, Specific works are as follows:
1) work step of shared document supplier is as follows, as shown in Figure 3:
1-1, document provider formulate the condition i.e. access structure that shared user should meet, and are formed XML document, use It is stored in after the IBE private key signature of document provider, system public key encryption in its attribute descriptor certificate ADC under one's name;
1-2, document provider formulate environment and policy constraints condition, form XACML policy file, and also with its IBE private Key signature, system public key encryption;
1-3, using Hybrid Encryption mechanism, using the access structure in document provider's attribute descriptor certificate ADC to text The session key Key of shelves carries out CP-ABE encryption, is encrypted with Key to document content, forms encrypted message packet, as shown in Figure 4;
1-4, document provider give encrypted message packet to the preparation of XACML access control system and are transferred to shared user;
2) work step of XACML access control system is as follows, as shown in Figure 5:
2-1, user propose the sharing request of certain document to Policy Enforcement Point PEP;
2-2, the Policy Enforcement Point PEP respond user's request, determine document id to be sharing and User ID;
2-3, Policy Enforcement Point PEP require user to submit relevant certification assessment information comprising network condition at that time, The environmental informations such as computer system software operating condition, hardware operating condition, the parameter etc. of computer capital equipment;
2-4, user collect assessment information, are sent to the Policy Enforcement Point PEP;
2-5, the Policy Enforcement Point PEP according to user provide access request, including User ID, shared document ID and Sharing mode etc. and related evaluation information form the judgement request message of XACML format, issue policy decision point PDP progress Assessment and decision;
2-6, the policy decision point PDP receive the request message that Policy Enforcement Point PEP is sent, and parse to message, It obtains all kinds of certifications such as User ID, shared document ID, sharing mode, ambient conditions and assesses information;
2-7, policy decision point PDP request strategy information point PIP return to attribute related with main body, resource or environment Value;
The strategy of 2-8, policy decision point PDP to tactical management point PAP request shared document ID;
2-9, tactical management point PAP obtain the ID of document provider according to shared document ID, and then from LDAP certificate repository The attribute descriptor certificate ADC of document provider is obtained, and the XACML policy file for thus obtaining document provider's formulation is close The strategy ciphertext is transmitted to PDP by text, PAP;
2-10, policy decision point PDP are to the signature of the strategy file cryptogram validation document provider got, if passing through It is decrypted with system private key, obtains strategy file, and go to step 2-11.Otherwise PDP judgement terminates, and provides strategy file signature verification The evaluation result not passed through, and go to step 2-12;
Whether the ambient conditions that 2-11, policy decision point PDP determine that user submits according to XACML policy file can satisfy The environmental condition that document provider formulates, if it also can satisfy policy constraints condition, if there is any one to be unsatisfactory for, PDP It will be judged to denied access;If two all meet, allow to access;
The result of decision is informed Policy Enforcement Point PEP by 2-12, the policy decision point PDP;
The policy decision point PDP result of decision that 2-13, the Policy Enforcement Point PEP are received is if allowing to access, then XACML access control system transmits the document encrypted packet to user, and user obtains the encrypted message packet, can carry out CP-ABE solution Close, otherwise XACML access control system refuses the encrypted message packet that shared document is transmitted to user.
3) work step for sharing user is as follows, as shown in Figure 6:
3-1, shared user receive the encrypted message packet transmitted by XACML access control system;
3-2, shared user obtain signature SIG by encrypted message packet, obtain the IBE public signature key of document provider;
Otherwise 3-3, shared user are terminated with the IBE public signature key verifying signature SIG of document provider by rear continuation;
3-4, shared user obtain ciphertext CK by packet, using CP-ABE encryption system, with oneself USB of shared user Attribute key SK in key equipment decrypts ciphertext CK, obtains session key Key, i.e. Key=Decrypt(PK, CK, SK), only There is authorized user that can just be decrypted correctly, the condition that the attribute of the i.e. shared user of authorized user meets document provider's formulation accesses Structure;
3-5, E (F) is obtained by packet, is decrypted with E (F) of the Key to acquisition, obtains the bright of the shared document to be accessed Text.
Further, in the step 2, in the work of shared document supplier, document provider's attribute description is utilized The method that access structure in symbol certificate ADC encrypts document CP-ABE is as follows, as shown in Figure 4:
1-3-1, session key Key is generated;
1-3-2, it is encrypted, is formed ciphertext E (F) with content of the session key Key to electronic document M to be sharing;
1-3-3, it is signed with the IBE signature private key of document provider to E (F), forms signature SIG;
1-3-4, the ADC for obtaining document provider, therefrom obtain the XML file ciphertext of access structure;
1-3-5, the signature of the XML file cryptogram validation document provider got is obtained with the decryption of system private key XML file;
1-3-6, access structure T is generated according to XML file;
1-3-7, using CP-ABE system, session key Key is encrypted, result CK, i.e. CK=Encrypt(PK, Key, T);
1-3-8, encrypted message packet, i.e. CK+E (F)+SIG are generated.
Further, in the step 1, Attribute certificate AC is managed, is that issuing for Attribute certificate AC is divided into letter Appoint the center source point SOA, the center attribute authority (aa) mechanism AA and the agent point AA three-level.
Further, the attribute descriptor certificate ADC of the Attribute certificate AC and record access strategy is by the center SOA, AA Center or AA agency issue, and are stored in the LDAP certificate repository of server end.
Further, the Attribute certificate AC and attribute descriptor certificate ADC follow X.509v4 standard, and use ANS.1 coded format describes.
Further, each function of trusting the center source point SOA, the center attribute authority (aa) mechanism AA and the agent point AA It is completed by corresponding system manager, the system manager is owned by two pairs of IBE key pairs and is used to sign and encrypt, private key In the presence of in personal USB Key digital device, in public key presence server.
Further, it when Attribute certificate AC is provided at the center SOA or the center AA, is carried out using the private key of corresponding management person Signature.
Further, in the step 1, being managed to Attribute certificate AC further includes accepting, encode, sign and issue and revoking, The Attribute certificate AC's accepts, generates, encodes, signs and issues and revokes by authorized administrator and sign and issue administrator and be responsible for.It is specific fixed Justice is as follows:
1. accepting: receiving and verify the generation of Attribute certificate, revoke request, and handle the request.
2. generating: executing the relevant operation that various different attribute certificates are generated and signed and issued.
3. X509 is encoded: the encoding function based on X.509v4 standard is executed, using ANS.1 coded format.
4. digital signature: having carried out (the Abstract Syntax of ASN Abstract Syntax Notation 1 to by X.509v4 standard Notation One, ANS.1) coding Attribute certificate be digitally signed, signature private key is stored in the portable of system manager In formula USB digital device.
5. LDAP is issued: Attribute certificate is published in LDAP certificate repository.
6. revoking: request is revoked in response, and the certificate entry to be revoked is deleted in LDAP certificate repository.
Implementation of the invention is said from functional perspective including server end and client two parts:
The server end mainly undertakes the functions such as information management, policy development, data calculating and data processing, and is visitor Family end provides api interface.Its function is as follows:
1. receiving user's registration information;
2. completing the initialization of CP-ABE mechanism, generation system common parameter PK and master key MK;
3. receiving the application with audit user property certificate AC, be stored in LDAP by generating AC after audit, and according to AC and System master key MK generates the CP-ABE private key SK of the user, is stored in the special equipment of user, such as USB key;
4. receiving the application of attribute descriptor certificate ADC, LDAP is stored in after generating ADC;
5. the storage and management of Attribute certificate AC and attribute descriptor certificate ADC comprising accept, encode, sign and issue and hang The functions such as pin;
6. receiving the service request of shared document supplier user;
7. receiving the service request of user sharing document;
8. realizing the function of XACML access control system;
9. Policy Enforcement Point PEP, policy information point PIP, policy decision point PDP and strategy in XACML access control model The function of management point PAP.
The client is the operation interface of user, function are as follows:
1. user's registration;
2. submitting the application of user property certificate AC and attribute descriptor certificate ADC;
3. submitting user access request;
4. receiving the encrypted packet that server is passed back according to access request, and IBE and CP-ABE is carried out to packet and is decrypted.
As shown in Figure 1, the present invention uses the access control technology based on XACML, the various pieces of model are described as follows:
1. indicating that Policy Enforcement Point PEP receives the request of user.
2. indicating that Policy Enforcement Point PEP is retrieved and main body, resource or ring according to the request of user to policy information point PIP The related attribute value in border generates the request of XACML format.
3. indicating that Policy Enforcement Point PEP requests user to be sent to policy decision point PDP with XACML format.
4. indicating policy decision point PDP to tactical management point PAP request corresponding strategies to assess request, PDP is basis Policy goals select corresponding strategies, and policy goals include the information about main body, movement and other environment attributes.
5. indicating policy decision point PDP to policy information point PIP retrieval relevant information assessment request.
6. indicating that policy decision point PDP assessment requests and assessment result is returned to Policy Enforcement Point with the format of XACML PEP, assessment result, which can be, allows access, is also possible to denied access, and have obligation appropriate.
7. indicating that Policy Enforcement Point PEP executes certification, according to the PDP authorization decision permission sent or denied access.
Steps are as follows for the realization of above-mentioned model:
1. strategy creation:
By tactical management point PAP generation strategy file.Firstly the need of the rulecombinmg algorithm of selection strategy;Construction strategy Target, dependency rule and all required tactful sub-components;Poliyc object is created later, and poliyc object is saved in text To pass to PDP in part.
When actual motion, because each Request may only include an Action element, so that can generate in client Many Request, thereby resulting in the processing time and delay collecting all access decisions and spending can be intolerable.In order to It solves the problems, such as this, can use the relevant information of target in LDAP storage strategy, policy decision point PDP passes through retrieval LDAP choosing Select corresponding strategies assessment request.Selectively load corresponding strategies can greatly save the expense of system in this way.
2. policy decision point PDP:
PDP is requested for Policy evaluation, and returning response.The creation and request evaluation process of PDP: strategy text is read first Part;Construction strategy searching module, to realize the mechanism for searching attribute, strategy and resource;The strategy discovery journey that PDP will be used is set Sequence;PDP is created by initialization PDP class;PDP calls appraisal procedure to assess the request from PEP, and returns to decision As a result PEP is given.
3. Policy Enforcement Point PEP includes:
A. request is generated
PEP generates access request according to different application environments, is sent to PDP.Then result and justice that PDP is returned are executed Business.
B. parsing returns the result
PDP is requested for Policy evaluation, and after authorized decision, result is returned to PEP.
The present embodiment is designed based on the access control of CP-ABE, including the determination of (one) CP-ABE scheme and (two) access control Design.(1) CP-ABE scheme determines, it is necessary first to CP-ABE scheme is chosen, by the research to famous CP-ABE document, I Existing CP-ABE scheme is compared and analysis is learnt, with going deep into for research, the ability to express and peace of CP-ABE algorithm It is complete to prove to be continuously improved.From introducing tree-like access control structure, to extend to include in access control structure NOT gate attribute, Nonmonotonic attribute structure after arriving again and the control structure portrayed using LSSS agreement.Security proving is not based on yet It is same to assume and become more to pacify with practical under different models.B. no matter the CP-ABE scheme for the LSSS that Waters is proposed, expressing All have great advantage in ability or on security proving, but the extension of its non-attribute is relatively difficult.J. Bethencourt et al. The CP-ABE scheme of proposition, realizes and and or on access structure tree, fits in very much practical application scene, scheme Efficiency is also higher.After weighing the advantages and disadvantages, we are determined using the scheme of J. Bethencourt et al. as the basis of access control.
It is as follows for the CP-ABE scheme progress related description of J.Bethencourt:
(1) attribute set
If P={ P1, P2 ..., Pn } is the set of all properties, then the attribute S of each user is a non-gap of P Collection, S P, then N attribute can be used for identifying 2N user.
(2) access structure
Access structure T is the nonvoid subset of complete or collected works { P1, P2 ..., Pn }, T 2 { P1, P2 ..., Pn } {φ}.A determined property condition is represented, the attribute set in T is known as authorization set, and the attribute set not in T is referred to as non- Authorization set.
(3) access tree
Access tree represents an attribute item, each internal node for describing an access structure, each leaf node of tree A relation function is represented, relation function can be AND (n of n), OR (1of n) and n of m (m > n) thresholding etc..It is real During now, each of access tree node (including leaf node) all can define a multinomial, and the traversal mode of node is By root node from the top down, sequence from left to right.
The specific CP-ABE algorithm of CP-ABE scheme for J.Bethencourt includes:
(1) initial setting up Setup ()
Input system security parameter Para, Setup () output system common parameter PK and master key MK.
(2) Encryption Algorithm Encrypt ()
Input system common parameter PK, access structure T and plaintext M, Encrypt () export ciphertext CT.
(3) key extraction KeyGen ()
Input system master key MK and attribute set S, KeyGen () output correspond to the decruption key KS of S.
(4) decipherment algorithm Decrypt ()
Input system common parameter PK, the ciphertext CT encrypted with access structure A, and the decryption corresponding to attribute set S are close Key KS.If attribute set S meets access structure T, Decrypt () exports message M.
(2) access control designs, the expression of expression, access structure including attribute set and access control model:
The expression of attribute set:
The attribute set in CP-ABE is described using the Attribute certificate AC in PMI system.
User is described by attribute, uses Attribute certificate AC as the voucher of user property.Attribute certificate AC is according to user The description information of submission generates.AC is using the national standard GB/T 16264.8-2005 certificate format for meeting international standard X.509 V4 And the coded format of ASN Abstract Syntax Notation (Abstract Syntax Notation One, ANS.1) describes.
The expression of access structure:
Using in expansible markup language (eXtensible Markup Language, XML) paper trail CP-ABE Access structure, and by the extension field of the content copy of the XML access structure file of formation to attribute descriptor certificate ADC It is stored in PrivilegePolicyIdentifier attribute value.
Access control model:
Access control model is constructed using XACML, system uses XACML2.0 standard.
The access structure stored in attribute descriptor certificate ADC is the chief component of access control policy, except this it Outside, access control policy further includes the conditions such as environmental constraints and policy constraints, these are stored in a manner of XACML policy file, XACML Controlling model is included in handle.I.e. in XACML access control model, increase special CP-ABE strategy, to indicate text The running environment condition and policy constraints condition that shelves must satisfy when shared.Policy decision point (Policy Decision Point, PDP) all policies that user should meet to be assessed and adjudicated, assessment, which has passed through user and can receive, uses CP- ABE encrypted file, otherwise can not receive, and only there is the user property in AC and meet access structure in ADC It is required that could smoothly be decrypted to the ciphertext received.
The present invention has carried out safe handling from four angles: being safe handling, the access control plan of CP-ABE algorithm respectively Slightly safety, CP-ABE combined with IBE, Hybrid Encryption frame, be specifically addressed below:
The safe handling of CP-ABE algorithm, the safety of safety and access structure including attribute set, wherein attribute The safety of set refers to that attribute is the private data of user, also thus determine its whether can shared information, therefore user The attribute information of submission to guarantee its crypticity, and can be protected with being stored in Attribute certificate AC again after its IBE private key signature and encryption It is not stolen in card transmission.The safety of access structure refer to access structure determine can shared information authorized user, institute Must assure that the safety of access structure.The present invention protects the XML file of description access structure, utilizes publisher's The public key encryption of private key signature, system, guarantee access structure XML file non repudiation and be not tampered, guarantee transmit in It is not stolen.
The safety of access control policy, the present invention grasp creation, update, revocation of all policies file of XACML etc. Make all to be completed by tactical management point (Policy Administration Point, PAP), and the tactful XML file of formation is added With protection, the public key encryption of the private key signature of Utilization strategies management point PAP personnel, system, ensure that non repudiation with not by The security requirement distort, not being stolen.
CP-ABE is combined with IBE, and (tactical management point PAP including server end etc. is all kinds of by each user in system System manager) it is owned by special digital storage equipment USB Key.The private information of user is stored in the equipment.Each User has two pairs of IBE key pairs, and a pair is used for digital signature, and a pair is for encrypting.Private key is stored in USB Key, and public key is deposited In server.There is also in the equipment for the CP-ABE private key of each user.
Hybrid Encryption frame, CP-ABE and IBE belong to rivest, shamir, adelman, and efficiency is lower compared with symmetric cryptography, Be difficult to be directly used in encryption mass data, therefore system uses Hybrid Encryption frame, i.e., first using symmetric key to data encryption, Then the symmetric key is encrypted using CP-ABE or IBE.Workflow under Hybrid Encryption frame is as shown in Figure 2.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify to technical solution documented by previous embodiment or equivalent replacement of some of the technical features;And These are modified or replaceed, the spirit and model of technical solution of the embodiment of the present invention that it does not separate the essence of the corresponding technical solution It encloses.

Claims (9)

1. a kind of ciphertext access control method based on CP-ABE, it is characterised in that: it includes the following steps:
Step 1 is prepared and maintenance work comprising the encryption attribute system (Ciphertext-Policy of Ciphertext policy Attribute-Based Encryption, CP-ABE) initialization, user's registration and audit, generation system and user use In signature and the asymmetric key pair of encryption, the CP-ABE attribute key SK of generation user and key and Attribute certificate management;
Step 2, document sharing need document provider, extensible access control markup language (eXtensible Access Control Markup Language, XACML) access control system and shared user three cooperate, and specific works are such as Under:
1) work of shared document supplier:
The condition that document provider should meet firstly the need of the shared user of formulation, i.e. access structure and environment and policy constraints Then condition uses Hybrid Encryption mechanism, carries out CP-ABE with session key Key of the access structure of document provider to document Encryption and signature, then document content is encrypted with Key, encrypted message packet is formed, and give encrypted message packet to XACML access control System preparation processed is transferred to shared user;
2) work of XACML access control system:
Strategy forces point (Policy enforcement point, PEP) to receive the sharing request of user and authenticates assessment information, Policy Decision Point (Policy decision point, PDP) is issued after forming XACML judgement request;PDP is according to user authentication Information and by tactical management point (Policy administration point, PAP), policy information point (Policy Information point, PIP) it is transmitted through the strategy come and correlation attribute value makes decisions, and pass court verdict back PEP;If Court verdict be allow then XACML access control system send encrypted message packet to user, otherwise or judging process have it is any Signature verification is unsuccessful, the unsuccessful situation of decryption occurs, and XACML access control system is just refused to send encrypted message packet to use Family;
The work of XACML access control system, the specific steps are as follows:
2-1, user propose the sharing request of certain document to Policy Enforcement Point PEP;
2-2, the Policy Enforcement Point PEP respond user's request, determine document id to be sharing and User ID;
2-3, Policy Enforcement Point PEP require user that relevant certification is submitted to assess information comprising network condition at that time, computer The environmental informations such as system software operating condition, hardware operating condition, the parameter etc. of computer capital equipment;
2-4, user collect assessment information, are sent to the Policy Enforcement Point PEP;
The access request that 2-5, the Policy Enforcement Point PEP are provided according to user, including User ID, shared document ID and shared Mode and related evaluation information form the judgement request message of XACML format, issue policy decision point PDP carry out assessment with Decision;
2-6, the policy decision point PDP receive the request message that Policy Enforcement Point PEP is sent, and parse to message, obtain Information is assessed in all kinds of certifications of User ID, shared document ID, sharing mode, ambient conditions;
2-7, policy decision point PDP request strategy information point PIP return to attribute value related with main body, resource or environment;
The strategy of 2-8, policy decision point PDP to tactical management point PAP request shared document ID;
2-9, tactical management point PAP obtain the ID of document provider according to shared document ID, and then obtain from LDAP certificate repository The attribute descriptor certificate ADC of document provider, and thus obtain the XACML policy file cipher text of document provider's formulation, PAP The strategy ciphertext is transmitted to PDP;
2-10, policy decision point PDP use system to the signature of the strategy file cryptogram validation document provider got if passing through Private key of uniting is decrypted, and obtains strategy file, and go to step 2-11;Otherwise PDP judgement terminates, and it is illogical to provide strategy file signature verification The evaluation result crossed, and go to step 2-12;
Whether the ambient conditions that 2-11, policy decision point PDP determine that user submits according to XACML policy file can satisfy document The environmental condition that supplier formulates, if also can satisfy policy constraints condition, if there is any one to be unsatisfactory for, PDP will It is judged to denied access;If two all meet, allow to access;
The result of decision is informed Policy Enforcement Point PEP by 2-12, the policy decision point PDP;
The policy decision point PDP result of decision that 2-13, the Policy Enforcement Point PEP are received is if allowing to access, then XACML is visited Ask that control system transmits encrypted message packet to user, user obtains encrypted message packet, can carry out CP-ABE decryption, otherwise XACML access control system refuses the encrypted message packet that shared document is transmitted to user;
3) work of user is shared:
After user receives the encrypted message packet that XACML access control system is sent, the signature of session key Key is first verified, is led to Later it is decrypted to obtain Key with CP-ABE;Then shared file is decrypted to obtain in plain text with Key;If period signature verification is unsuccessful The step of then interrupting below, and user only meets the condition of shared document supplier formulation to be just decrypted correctly session close Key Key.
2. a kind of ciphertext access control method based on CP-ABE according to claim 1, it is characterised in that: the step In 1 preparation and maintenance work comprising:
1. completing the initialization of CP-ABE, generation system common parameter PK and master key MK;
2. generating the non-of Identity-based encryption (Identity Based Encryption, IBE) mechanism of system authorization management person Symmetric key is to as system asymmetric key pair, and a pair is used for system encryption, and for signing, two pairs of keys are stored in and are a pair In the specialized security device USB key of system authorized administrator;
3. completing user's registration;
4. auditing user's registration information;
5. generating the IBE asymmetric key pair of user, a pair is for encrypting, and for a pair for signing, two pairs of keys are stored in user Specialized security device USB key in;
6. storage, update and the management of system and user's PKI and IBE key pair;
7. generating user property certificate (Attribute Certificate, AC), it is stored in LDAP In (Lightweight Directory Access Protocol, LDAP) certificate repository;
8. obtaining user property set S by user property certificate AC, being generated according to user property set S and system master key MK should CP-ABE the attribute key SK, SK=KeyGen(MK, S of user), SK is stored in the specialized security device USB key of user;
9. being stored and being managed to Attribute certificate, the Attribute certificate includes two parts: i.e. Attribute certificate AC and its extension are i.e. Attribute descriptor certificate (Attribute Descriptor Certificate, ADC).
3. a kind of ciphertext access control method based on CP-ABE according to claim 1 or 2, it is characterised in that: described In step 2,1) in the work of shared document supplier, the specific steps are as follows:
1-1, document provider formulate the condition i.e. access structure that shared user should meet, and are formed expansible label language (eXtensible Markup Language, XML) document is sayed, with the IBE private key signature of document provider, system public key encryption It is stored in its attribute descriptor certificate ADC under one's name afterwards;
1-2, document provider formulate environment and policy constraints condition, form XACML policy file, and also with its IBE private key label Name, system public key encryption;
1-3, session key Key use Hybrid Encryption mechanism, utilize the access knot in document provider's attribute descriptor certificate ADC Structure carries out CP-ABE encryption to the session key Key of document, is encrypted with Key to document content, forms encrypted message packet;
1-4, document provider give encrypted message packet to the preparation of XACML access control system and are transferred to shared user.
4. a kind of ciphertext access control method based on CP-ABE according to claim 3, it is characterised in that: the step In 2,1) in the step 1-3 of the work of shared document supplier, utilize the visit in document provider's attribute descriptor certificate ADC Ask structure to document carry out CP-ABE encrypt to be formed encrypted message packet method it is as follows:
1-3-1, session key Key is generated;
1-3-2, it is encrypted, is formed ciphertext E (F) with content of the session key Key to electronic document M to be sharing;
1-3-3, it is signed with the IBE signature private key of document provider to E (F), forms signature SIG;
1-3-4, the ADC for obtaining document provider, therefrom obtain the XML file ciphertext of access structure;
1-3-5, XML text is obtained with the decryption of system private key to the signature of the XML file cryptogram validation document provider got Part;
1-3-6, access structure T is generated according to XML file;
1-3-7, using CP-ABE system, session key Key is encrypted, result CK, i.e. CK=Encrypt(PK, Key, T);
1-3-8, encrypted message packet, i.e. CK+E (F)+SIG are generated.
5. a kind of ciphertext access control method based on CP-ABE according to claim 1 or 2, it is characterised in that: described In step 2,3) in the work of shared user, the specific steps are as follows:
3-1, shared user receive the encrypted message packet transmitted by XACML access control system;
3-2, shared user obtain signature SIG by encrypted message packet, obtain the IBE public signature key of document provider;
Otherwise 3-3, shared user are terminated with the IBE public signature key verifying signature SIG of document provider by rear continuation;
3-4, shared user are obtained ciphertext CK by packet and are set using CP-ABE encryption system with shared user oneself USB key Attribute key SK in standby decrypts ciphertext CK, obtains session key Key, i.e. Key=Decrypt(PK, CK, SK), only authorize User can just be decrypted correctly;
3-5, E (F) is obtained by packet, is decrypted with E (F) of the Key to acquisition, obtains the plaintext of shared document to be accessed.
6. a kind of ciphertext access control method based on CP-ABE according to claim 1, it is characterised in that: the step In rapid 1, Attribute certificate AC is managed and is specifically included: the attribute descriptor certificate of Attribute certificate AC and record access strategy ADC's issues by the center trust source point (Source Of Authority, SOA), attribute authority (aa) mechanism (Attribute Authority, AA) center and the corresponding system manager in the agent point AA complete, and the system manager is owned by a pair of of IBE Key pair, wherein private key exists in personal USB Key digital device, in public key presence server;When providing Attribute certificate AC, It is signed using the private key of corresponding management person.
7. a kind of ciphertext access control method based on CP-ABE according to claim 1, it is characterised in that: the step In 1, Attribute certificate AC is stored in the LDAP certificate repository of server end, and management further includes accepting, encode, sign and issue and revoking, The Attribute certificate AC's accepts, generates, encodes, signs and issues and revokes by authorized administrator and sign and issue administrator and be responsible for.
8. a kind of ciphertext access control method based on CP-ABE according to claim 1, it is characterised in that: the step In 2-3, the Policy Enforcement Point PEP requires user that relevant certification is submitted to assess information, and the certification assessment information includes working as When network condition, computer system software operating condition, hardware operating condition, the parameter of computer capital equipment.
9. a kind of ciphertext access control method based on CP-ABE according to claim 1, it is characterised in that: the step In 2-4, access request of the Policy Enforcement Point PEP according to user's offer comprising User ID, shared document ID and shared side Formula.
CN201610540456.6A 2016-07-11 2016-07-11 A kind of ciphertext access control method based on CP-ABE Active CN105991278B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610540456.6A CN105991278B (en) 2016-07-11 2016-07-11 A kind of ciphertext access control method based on CP-ABE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610540456.6A CN105991278B (en) 2016-07-11 2016-07-11 A kind of ciphertext access control method based on CP-ABE

Publications (2)

Publication Number Publication Date
CN105991278A CN105991278A (en) 2016-10-05
CN105991278B true CN105991278B (en) 2019-06-28

Family

ID=57044074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610540456.6A Active CN105991278B (en) 2016-07-11 2016-07-11 A kind of ciphertext access control method based on CP-ABE

Country Status (1)

Country Link
CN (1) CN105991278B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106682069B (en) * 2016-11-14 2021-03-09 湖南工业大学 User-controllable data retrieval method, data storage method, terminal and system
CN106549758B (en) * 2016-12-09 2019-07-30 四川师范大学 Support the encryption method based on attribute of non-monotonic access structure
CN106603544B (en) * 2016-12-22 2020-01-03 中国科学技术大学 Data storage and cloud control method with light audit
CN106953839B (en) * 2017-01-13 2020-06-16 重庆邮电大学 System and method for controlling propagation of untrusted resources in Internet of vehicles
EP3379015A1 (en) 2017-03-21 2018-09-26 STMicroelectronics (Grand Ouest) SAS Method and system for monitoring an object intended to be shared by a plurality of potential users
CN107370595A (en) * 2017-06-06 2017-11-21 福建中经汇通有限责任公司 One kind is based on fine-grained ciphertext access control method
CN107846397A (en) * 2017-09-30 2018-03-27 北京理工大学 A kind of cloud storage access control method based on the encryption of attribute base
CN107864139B (en) * 2017-11-09 2020-05-12 北京科技大学 Cryptographic attribute base access control method and system based on dynamic rules
CN108418784B (en) * 2017-12-04 2020-09-25 重庆邮电大学 Distributed cross-domain authorization and access control method based on attribute password
CN108021362B (en) * 2017-12-21 2019-09-20 南京大学 Android application access control code generating method based on XACML access control mechanisms
CN108632030B (en) * 2018-03-22 2020-11-27 中山大学 CP-ABE-based fine-grained access control method
CN108667843A (en) * 2018-05-14 2018-10-16 桂林电子科技大学 A kind of information safety protection System and method for for BYOD environment
CN109617855B (en) * 2018-10-25 2020-10-09 深圳技术大学(筹) File sharing method, device, equipment and medium based on CP-ABE layered access control
CN109327448B (en) * 2018-10-25 2020-10-09 深圳技术大学(筹) Cloud file sharing method, device, equipment and storage medium
EP3883212B1 (en) * 2019-11-12 2023-02-22 Huawei Technologies Co., Ltd. Device upgrade method and related device
CN111625869B (en) * 2020-04-23 2022-02-25 腾讯科技(深圳)有限公司 Data processing method and data processing device
CN114666079B (en) * 2020-12-22 2023-03-24 中国科学院沈阳自动化研究所 Industrial control system access control method based on attribute certificate
CN112883399B (en) * 2021-03-11 2022-03-25 郑州信大捷安信息技术股份有限公司 Method and system for realizing secure sharing of encrypted file
CN113271309B (en) * 2021-05-24 2022-04-08 四川师范大学 Hierarchical file encryption method and system
CN113378230A (en) * 2021-07-05 2021-09-10 东南大学 Data access control method of DDS (direct digital synthesizer) distributed system
CN113742743B (en) * 2021-07-23 2023-08-08 苏州浪潮智能科技有限公司 LDAP-based data encryption access control method and system
CN114513533B (en) * 2021-12-24 2023-06-27 北京理工大学 Classified and graded body-building health big data sharing system and method
CN114650184B (en) * 2022-04-15 2023-05-26 四川中电启明星信息技术有限公司 Docker process security access control method based on trust degree
CN116232704B (en) * 2023-02-13 2024-05-03 广州大学 Data controlled access method and system based on XACML and intelligent contract

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916954A (en) * 2012-10-15 2013-02-06 南京邮电大学 Attribute-based encryption cloud computing safety access control method
CN103327002A (en) * 2013-03-06 2013-09-25 西安电子科技大学 Cloud storage access control system based on attribute

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102916954A (en) * 2012-10-15 2013-02-06 南京邮电大学 Attribute-based encryption cloud computing safety access control method
CN103327002A (en) * 2013-03-06 2013-09-25 西安电子科技大学 Cloud storage access control system based on attribute

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于CP-ABE的访问控制研究;周彦萍等;《电子产品世界》;20130830;全文 *
基于CP一ABE访问控制***的设计与实现;周彦萍等;《计算机技术与发展》;20140230;第24卷(第2期);第0-2节 *

Also Published As

Publication number Publication date
CN105991278A (en) 2016-10-05

Similar Documents

Publication Publication Date Title
CN105991278B (en) A kind of ciphertext access control method based on CP-ABE
US11651362B2 (en) Method and system for zero-knowledge and identity based key management for decentralized applications
CN114513533B (en) Classified and graded body-building health big data sharing system and method
Damiani et al. Managing multiple and dependable identities
Khalid et al. Cloud based secure and privacy enhanced authentication & authorization protocol
CN109743172A (en) Based on alliance's block chain V2G network cross-domain authentication method, information data processing terminal
Hui et al. Survey on Blockchain for Internet of Things.
Huang et al. Blockchain-assisted transparent cross-domain authorization and authentication for smart city
CN106992988A (en) A kind of cross-domain anonymous resource sharing platform and its implementation
Bai et al. Decentralized and self-sovereign identity in the era of blockchain: a survey
Ramani et al. Ndn-abs: Attribute-based signature scheme for named data networking
CN109981287A (en) A kind of code signature method and its storage medium
CN115426136B (en) Cross-domain access control method and system based on block chain
Slamanig et al. User-centric identity as a service-architecture for eIDs with selective attribute disclosure
Salehi et al. A dynamic cross-domain access control model for collaborative healthcare application
Hong et al. Service outsourcing in F2C architecture with attribute-based anonymous access control and bounded service number
Fotiou et al. Capability-based access control for multi-tenant systems using OAuth 2.0 and Verifiable Credentials
Saravanaguru et al. Securing web services using XML signature and XML encryption
Dumas et al. LocalPKI: An interoperable and IoT friendly PKI
Chatterjee et al. An efficient fine grained access control scheme based on attributes for enterprise class applications
Deshmukh et al. Secure fine-grained data access control over multiple cloud server based healthcare applications
Zhao et al. Research on digital identity technology and application based on identification code and trusted account blockchain fusion
CN106059759A (en) Architecture method for CP-ABE (Ciphertext-Policy Attribute-Based Encryption) ciphertext access control
Yingkai et al. A kind of identity authentication under cloud computing environment
Tan et al. Blockchain-Based Cross-domain Access Control Mechanism

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant